Пример #1
0
def test_flatline_no_data():
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 2,
        'timestamp_field': '@timestamp',
    }

    rule = FlatlineRule(rules)

    # Initial lack of data
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:00Z'))
    assert len(rule.matches) == 0

    # Passed the timeframe, still no events
    rule.garbage_collect(ts_to_dt('2014-09-26T12:35:00Z'))
    assert len(rule.matches) == 1
Пример #2
0
def test_flatline():
    events = hits(10)
    rules = {'timeframe': datetime.timedelta(seconds=30),
             'threshold': 2,
             'timestamp_field': '@timestamp'}

    rule = FlatlineRule(rules)

    # 1 hit should cause an alert until after at least 30 seconds pass
    rule.add_data(hits(1))
    assert rule.matches == []

    rule.add_data(events)

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # This would be run if the query returned nothing for a future timestamp
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
    assert len(rule.matches) == 1
Пример #3
0
def test_flatline():
    events = hits(10)
    rules = {"timeframe": datetime.timedelta(seconds=30), "threshold": 2, "timestamp_field": "@timestamp"}

    rule = FlatlineRule(rules)

    # 1 hit should cause an alert until after at least 30 seconds pass
    rule.add_data(hits(1))
    assert rule.matches == []

    rule.add_data(events)

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt("2014-09-26T12:00:11Z"))
    assert rule.matches == []

    # This would be run if the query returned nothing for a future timestamp
    rule.garbage_collect(ts_to_dt("2014-09-26T12:00:45Z"))
    assert len(rule.matches) == 1
Пример #4
0
def test_flatline_no_data():
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 2,
        'timestamp_field': '@timestamp',
    }

    rule = FlatlineRule(rules)

    # Initial lack of data
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:00Z'))
    assert len(rule.matches) == 0

    # Passed the timeframe, still no events
    rule.garbage_collect(ts_to_dt('2014-09-26T12:35:00Z'))
    assert len(rule.matches) == 1
def test_flatline_query_key():
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 1,
        'use_query_key': True,
        'query_key': 'qk',
        'timestamp_field': '@timestamp'
    }

    rule = FlatlineRule(rules)

    # Adding two separate query keys, the flatline rule should trigger for both
    rule.add_data(hits(1, qk='key1'))
    rule.add_data(hits(1, qk='key2'))
    rule.add_data(hits(1, qk='key3'))
    assert rule.matches == []

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # Add new data from key3. It will not immediately cause an alert
    rule.add_data([create_event(ts_to_dt('2014-09-26T12:00:20Z'), qk='key3')])

    # key1 and key2 have not had any new data, so they will trigger the flatline alert
    timestamp = '2014-09-26T12:00:45Z'
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 2
    assert set(['key1', 'key2']) == set(
        [m['key'] for m in rule.matches if m['@timestamp'] == timestamp])

    # Next time the rule runs, the key1 and key2 will have been forgotten. Now key3 will cause an alert
    timestamp = '2014-09-26T12:01:20Z'
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 3
    assert set(['key3']) == set(
        [m['key'] for m in rule.matches if m['@timestamp'] == timestamp])
def test_flatline_count():
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 1,
        'timestamp_field': '@timestamp'
    }
    rule = FlatlineRule(rules)
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:00'): 1})
    rule.garbage_collect(ts_to_dt('2014-10-11T00:00:10'))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:15'): 0})
    rule.garbage_collect(ts_to_dt('2014-10-11T00:00:20'))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:35'): 0})
    assert len(rule.matches) == 1
Пример #7
0
def test_flatline_query_key():
    rules = {'timeframe': datetime.timedelta(seconds=30),
             'threshold': 1,
             'use_query_key': True,
             'query_key': 'qk',
             'timestamp_field': '@timestamp'}

    rule = FlatlineRule(rules)

    # Adding two separate query keys, the flatline rule should trigger for both
    rule.add_data(hits(1, qk='key1'))
    rule.add_data(hits(1, qk='key2'))
    rule.add_data(hits(1, qk='key3'))
    assert rule.matches == []

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # Add new data from key3. It will not immediately cause an alert
    rule.add_data([create_event(ts_to_dt('2014-09-26T12:00:20Z'), qk='key3')])

    # key1 and key2 have not had any new data, so they will trigger the flatline alert
    timestamp = '2014-09-26T12:00:45Z'
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 2
    assert set(['key1', 'key2']) == set([m['key'] for m in rule.matches if m['@timestamp'] == timestamp])

    # Next time the rule runs, the key1 and key2 will have been forgotten. Now key3 will cause an alert
    timestamp = '2014-09-26T12:01:20Z'
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 3
    assert set(['key3']) == set([m['key'] for m in rule.matches if m['@timestamp'] == timestamp])
Пример #8
0
def test_flatline_count():
    rules = {'timeframe': datetime.timedelta(seconds=30),
             'threshold': 1,
             'timestamp_field': '@timestamp'}
    rule = FlatlineRule(rules)
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:00'): 1})
    rule.garbage_collect(ts_to_dt('2014-10-11T00:00:10'))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:15'): 0})
    rule.garbage_collect(ts_to_dt('2014-10-11T00:00:20'))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt('2014-10-11T00:00:35'): 0})
    assert len(rule.matches) == 1
Пример #9
0
def test_flatline_forget_query_key():
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 1,
        'query_key': 'qk',
        'forget_keys': True,
        'timestamp_field': '@timestamp'
    }

    rule = FlatlineRule(rules)

    # Adding two separate query keys, the flatline rule should trigger for both
    rule.add_data(hits(1, qk='key1'))
    assert rule.matches == []

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # Key1 should not alert
    timestamp = '2014-09-26T12:00:45Z'
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 1
    rule.matches = []

    # key1 was forgotten, so no more matches
    rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
    assert rule.matches == []
Пример #10
0
def test_flatline():
    events = hits(40)
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 2,
        'timestamp_field': '@timestamp',
    }

    rule = FlatlineRule(rules)

    # 1 hit should cause an alert until after at least 30 seconds pass
    rule.add_data(hits(1))
    assert rule.matches == []

    # Add hits with timestamps 2014-09-26T12:00:00 --> 2014-09-26T12:00:09
    rule.add_data(events[0:10])

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # This would be run if the query returned nothing for a future timestamp
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
    assert len(rule.matches) == 1

    # After another garbage collection, since there are still no events, a new match is added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:50Z'))
    assert len(rule.matches) == 2

    # Add hits with timestamps 2014-09-26T12:00:30 --> 2014-09-26T12:00:39
    rule.add_data(events[30:])

    # Now that there is data in the last 30 minutes, no more matches should be added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:55Z'))
    assert len(rule.matches) == 2

    # After that window passes with no more data, a new match is added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
    assert len(rule.matches) == 3
Пример #11
0
def test_flatline():
    events = hits(40)
    rules = {
        'timeframe': datetime.timedelta(seconds=30),
        'threshold': 2,
        'timestamp_field': '@timestamp',
    }

    rule = FlatlineRule(rules)

    # 1 hit should cause an alert until after at least 30 seconds pass
    rule.add_data(hits(1))
    assert rule.matches == []

    # Add hits with timestamps 2014-09-26T12:00:00 --> 2014-09-26T12:00:09
    rule.add_data(events[0:10])

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
    assert rule.matches == []

    # This would be run if the query returned nothing for a future timestamp
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
    assert len(rule.matches) == 1

    # After another garbage collection, since there are still no events, a new match is added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:50Z'))
    assert len(rule.matches) == 2

    # Add hits with timestamps 2014-09-26T12:00:30 --> 2014-09-26T12:00:39
    rule.add_data(events[30:])

    # Now that there is data in the last 30 minutes, no more matches should be added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:00:55Z'))
    assert len(rule.matches) == 2

    # After that window passes with no more data, a new match is added
    rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
    assert len(rule.matches) == 3
Пример #12
0
def test_flatline_query_key():
    rules = {
        "timeframe": datetime.timedelta(seconds=30),
        "threshold": 1,
        "use_query_key": True,
        "query_key": "qk",
        "timestamp_field": "@timestamp",
    }

    rule = FlatlineRule(rules)

    # Adding two separate query keys, the flatline rule should trigger for both
    rule.add_data(hits(1, qk="key1"))
    rule.add_data(hits(1, qk="key2"))
    rule.add_data(hits(1, qk="key3"))
    assert rule.matches == []

    # This will be run at the end of the hits
    rule.garbage_collect(ts_to_dt("2014-09-26T12:00:11Z"))
    assert rule.matches == []

    # Add new data from key3. It will not immediately cause an alert
    rule.add_data([create_event(ts_to_dt("2014-09-26T12:00:20Z"), qk="key3")])

    # key1 and key2 have not had any new data, so they will trigger the flatline alert
    timestamp = "2014-09-26T12:00:45Z"
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 2
    assert set(["key1", "key2"]) == set([m["key"] for m in rule.matches if m["@timestamp"] == timestamp])

    # Next time the rule runs, the key1 and key2 will have been forgotten. Now key3 will cause an alert
    timestamp = "2014-09-26T12:01:20Z"
    rule.garbage_collect(ts_to_dt(timestamp))
    assert len(rule.matches) == 3
    assert set(["key3"]) == set([m["key"] for m in rule.matches if m["@timestamp"] == timestamp])
Пример #13
0
def test_flatline_count():
    rules = {"timeframe": datetime.timedelta(seconds=30), "threshold": 1, "timestamp_field": "@timestamp"}
    rule = FlatlineRule(rules)
    rule.add_count_data({ts_to_dt("2014-10-11T00:00:00"): 1})
    rule.garbage_collect(ts_to_dt("2014-10-11T00:00:10"))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt("2014-10-11T00:00:15"): 0})
    rule.garbage_collect(ts_to_dt("2014-10-11T00:00:20"))
    assert len(rule.matches) == 0
    rule.add_count_data({ts_to_dt("2014-10-11T00:00:35"): 0})
    assert len(rule.matches) == 1